ACME Renewal Service Failing after Update

Hey there,
i currently am experiencing an Issue with the renewal Service for my Let’s Encrypt Certs.
For debugging Purposes i am right now trying:

security.acme.useRoot = true;
security.acme.defaults.enableDebugLogs = true;

and still got the issue:

+ chmod -R u=rwX,g=,o= accounts/.
 chmod: changing permissions of 'accounts/./acme-v02.api.letsencrypt.org': Operation not permitted
 chmod: changing permissions of 'accounts/./acme-v02.api.letsencrypt.org/<redacted>': Operation not permitted
 chmod: changing permissions of 'accounts/./acme-v02.api.letsencrypt.org/<redacted>/keys': Operation not permitted

the current permission of the folder is as follow:

drwx--S--- 3 root nginx /var/lib/acme/.lego/accounts/<redacted>/acme-v02.api.letsencrypt.org

(before changing security.acme.useRoot to true the user still was “acme”)

my initial guess is that the PR nixos/acme: Refactor setup process by m1cr0man · Pull Request #355087 · NixOS/nixpkgs · GitHub somehow broke it, but can’t explain why, since manually running the chmod works

Hi there. This is a fun one… especially since all parts of security.acme run as either root or acme.

Setting useRoot does dilate things - did you check the permissions before setting that to true? Does reverting it set the permissions back to acme?

Have you been using the module for a long time? It could be the case that there was a bug a while ago which resulted in a root owned accounts directory that we never really covered with chmod before. I could add some explicit safe guards in the setup service to set the owner.

Setting useRoot does dilate things - did you check the permissions before setting that to true?

Yes, before it was being acme:nginx

Does reverting it set the permissions back to acme?

Reverting it set the permission back to acme:nginx

Have you been using the module for a long time?

Since around April 2024

Does the issue reoccur after you fixed it manually? As in, is it reoccurring?